DEV Community: Adrian Alexandru Stinga

Europe Through 2028: The Infrastructure of the Next Global Election Cycle

Adrian Alexandru Stinga — Fri, 29 May 2026 15:13:24 +0000

In the world of security, we are obsessed with "zero days" and active breaches. We look for the explosion. But as I’ve been tracking across monitored dark web and Telegram ecosystems over the last few months, the most significant threat we’re currently facing isn't a payload it’s an infrastructure build.

The networks that will define the geopolitical landscape in 2028 are not being built then. They are being assembled now.

The "Build Phase" Problem

We are currently in the seam between the initial procurement of assets and the mass activation of influence infrastructure. Based on our latest strategic assessment at Aether Intel, we expect the large-scale reappearance of "warmed" and "aged" accounts to emerge significantly between late 2026 and Q1 2027.

Why does this window matter? Because influence operations are a logistical challenge. You cannot manufacture credible, aged social media accounts or trusted operators overnight. They have to be built, aged, and fed with authentic-looking content months or years in advance.

What We’re Observing: The Shift in Adversary Tradecraft

If you look at the chatter in the dark web marketplaces and private Telegram channels, you don't see "loud" threats. You see patience. We are tracking four key indicators of this long-term build:

Selective Recruitment: It’s no longer about bulk spamming. Adversaries are pivoting to mid-to-senior level operators selected based on reputation and operational security (OPSEC). They aren't looking for quantity; they are looking for "vouched" capability.

Recycled Criminal Proceeds: We are seeing a distinct movement where proceeds from standard cyber-criminality (like RaaS or fraud) are being diverted to fund influence infrastructure that doesn't necessarily pay for itself in the short term. This is a strategic investment in geopolitical leverage.

The Native-Language Affiliate Model: One playbook, many regional faces. Instead of translating wholesale, which triggers detection, we see regional affiliates adapting narratives to sound natively organic. This diffuse model makes attribution almost impossible.

The AI Compounding Effect: Generative AI is reducing the cost of every single component—from account aging to content synthesis by orders of magnitude.

Why This is a Geopolitical Convergence

The core takeaway of our latest Horizon Briefings series is this: Criminal infrastructure and influence operations have stopped being separate problems.

They are converging. The tools used to commit financial fraud are now the exact same tools used to run influence campaigns. The infrastructure that keeps a C2 server alive is the same infrastructure maintaining a botnet of aged, aged-to-authenticity accounts.

The Defender’s Window is Now

By the time these networks surface on the open web in 2028, the hard part for the adversary will be done. They will have bypassed the "trust filters" of major platforms because their accounts will have years of legitimate-looking history.

The window to disrupt this capability is during the Build Phase.

For us, as practitioners, this means shifting our focus from detection to predictive visibility. We need to monitor for the transition from inactivity to reappearance one of the cleanest indicators we have.

This article summarizes the key insights from our latest report, "Europe Through 2028: Strategic Threat Forecast". If you are interested in the granular technical analysis of these behavioral patterns, you can read the full report at Aether-Intel.com. - Horizon Briefings

You Don’t Need to Be Recruited to Become an Asset

Adrian Alexandru Stinga — Tue, 26 May 2026 13:50:20 +0000

In the landscape of modern cyber-espionage and non-state actor operations, there is a recurring misconception in security analysis: the belief that there is a coherent ideology behind every attacker. Analysts often fall into the trap of seeking a "cause" or a set of beliefs to explain the actions of threat actors. However, recent intelligence, specifically the GN-065 report: Loyalty Without Allegiance report from Aether Intel, reveals a different reality: the modern proxy operator is not a "digital patriot," but a figure whose effectiveness relies on pragmatic, transactional compartmentalization.

The Myth of the "Cyber Patriot"
The idea that cyber-operators act out of national or ideological fervor is a dangerous simplification. In reality, most actors operating in the gray zone whether within Ransomware-as-a-Service (RaaS) groups or state-aligned proxy networks are not driven by flags or doctrines. They are high-level mercenaries navigating an environment that demands they act against their own underlying values, or at the very least, remain indifferent to them.

Their effectiveness is not built on loyalty, but on a psychological defense mechanism: compartmentalization.

The Psychological Architecture: Three Profiles
The report identifies three dominant profiles of proxy operators, defined not by their technical capabilities, but by the "anchors" that keep them tethered to their handlers:

The Financial Operator: For them, "professionalism" is a mask. They treat cyber-operations like a corporate job. They are often trapped in a cycle of financial necessity, where the demands of their handlers make exiting the ecosystem practically impossible.

The Status-Driven Operator: These individuals build their identity around their reputation within underground communities. The role is the identity. The fear of losing status or "face" among their peers is far more potent than the fear of legal or moral consequences.

The Captured Operator: Operating through "compliance by fear." These are the most vulnerable actors. They have neither motivation nor autonomy; they act out of inertia and a desperate lack of safe alternatives.

To see the full proxy profiles, you can do it on aether-intel.com on our demo SaaS platform ( 9 available for public )

The "Detection Window": Signals of Deterioration
For Threat Intelligence and Counterintelligence professionals, the most critical takeaway from the report is that people are not machines. No matter how disciplined the compartmentalization is, psychological stress eventually takes its toll.

The report emphasizes the importance of monitoring for "motivation deterioration signals." When a proxy operator begins to show signs of exhaustion, when their operational discipline falters, or when there are abrupt shifts in engagement, we are witnessing a crack in the facade.

Why does this matter? Because these cracks represent "windows of opportunity." An operator who is losing their conviction or who is becoming frustrated with their handlers is an operator who can be "flipped" or who may provide intelligence of inestimable value.

Reporting as an Act of Integrity
A vital point made by the report is the reframing of the reporting process. In an ecosystem where loyalty is merely a facade, reporting observed activities is not an act of betrayal it is an act of integrity.

In the world of cyber-defense, where digital infrastructure is the new theater of operations, the psychological stability and motivations of those operating within it are matters of global security.

Conclusion: Look Beyond the Code
When we analyze RaaS groups or espionage operations, we must realize that we are not just fighting against malware or server infrastructure; we are dealing with complex human architectures.

As Aether Intel aptly notes, "never mistake the operator’s output for the operator’s soul." Understanding the psychology behind "loyalty without allegiance" is not just an academic exercise it is the most effective way to anticipate, and ultimately dismantle, a threat before the strike occurs.

Full Reports on Aether-Intel.com to see the connection between a proxy patriot and dark web.

HUMINT Challenge #1: Think Like an Adversary 🎯 New ransomware group, 2TB claimed, high pressure. But something’s off: old infrastructure, mismatched data samples, atypical tactics. Is it a bluff or a real threat? How do you investigate? #HUMINT

Adrian Alexandru Stinga — Sat, 23 May 2026 16:33:04 +0000

Hybrid Warfare Never Stopped. Most People Just Stopped Recognizing It.

Adrian Alexandru Stinga — Fri, 22 May 2026 05:23:14 +0000

What a decade of observing hybrid warfare ecosystems reveals about where we are now.
There is a moment, when you have been watching something long enough, where the pattern stops feeling like analysis and starts feeling like memory.

I have spent well over a decade monitoring the intersection of hybrid warfare operations, dark web criminal ecosystems, and the information environments that connect them. I did not start this work from a think tank, an intelligence agency, or a university. I started it from inside the communities being studied observing in real time, from a NATO Eastern Flank position, as the architecture of modern information warfare was being assembled around me.

What I want to share here is not academic. It is observational. And the observation that matters most right now is this:

The actors who built the first generation of hybrid warfare infrastructure are still operational. They are significantly more capable. And the population they are targeting is significantly more susceptible than it was when this started.

The Architecture That Was Being Built While No One Was Watching
When the first coordinated information operations appeared across European social media platforms in early 2014, the analysis that followed treated them as a novel phenomenon. What direct community monitoring revealed was something different: the infrastructure had been under construction for months. Communities with ostensibly cultural or historical focus, cultivated across multiple languages simultaneously, activated as coordinated distribution networks within hours of a triggering geopolitical event. The narrative architecture was not assembled in response to events. It was prepared in advance and deployed on cue.

The simultaneity was the tell. Organic public sentiment does not appear in Romanian, Italian, Serbian, and Hungarian communities with culturally localized framing within eighteen hours of a triggering event. Coordination does.

What Western analysis missed at the time — and what took years to correctly categorize — was that this was not primarily a technology problem. It was a behavioral one. The operation did not create the anger it distributed. It found the anger that already existed, validated it, and directed it toward specific political outcomes. The emotional material was real. The grievances were genuine. The distribution was manufactured.

That distinction matters profoundly, because it has not changed. It has intensified.

The Criminal-Geopolitical Pipeline
One of the most consequential findings from sustained dark web monitoring over this period is the relationship between criminal financial infrastructure and geopolitical operational infrastructure. These are not separate systems. They became the same system operating at different layers.

The early phase of this integration, in the 2014–2016 period, was not state-directed. It was ideologically motivated. Actors who had existing criminal capabilities primarily operating in dark web markets, carding, ransomware revenue made independent decisions to channel that revenue toward conflict support operations they genuinely believed in. The ideology preceded the state relationship. The state identified these voluntary contributors after they had already paid.

This matters for detection because the standard analytical framework for state-criminal overlap assumes the state is the principal. In the Donbas model, the sequence was reversed: belief first, crime as financial infrastructure second, state identification and recruitment third. The pipeline ran from grassroots conviction through criminal capability to state-adjacent asset not the other direction.

By 2019–2020, the cryptocurrency infrastructure that had once been PayPal donation links on VK was running through Monero wallets, DEX routing, and multi-hop mixing protocols. The same community members who had been posting about conflict support in public Facebook groups in 2015 were using privacy coins and decentralized exchanges five years later. The ideological and criminal ecosystems did not separate as they matured. They grew together.

The criminal-geopolitical financial overlap documented throughout this period is not a historical artifact. It is the current operating model, adapted and refined over a decade of continuous use.

The Line That Does Not Exist
The boundary between state-sponsored threat actor and criminal operator is the analytical fiction that most institutional frameworks are least equipped to abandon.

The state does not direct its criminal ecosystem. It licenses it. The license is not a contract. It is an understanding: operate where you want, avoid certain targets, be available when asked, and law enforcement attention will remain structurally absent. From more than a decade of monitoring Russian-language criminal forums, the behavioral constraints of this license system are observable in aggregate forum behavior even when they are never explicitly stated. The asymmetry between actors who target Russian organizations and actors who do not is too consistent across too many actors over too long a period to be coincidental.

The criminal actor who begins declining certain transaction types, improving their operational security with a discipline that exceeds what experience-based learning produces, and demonstrating knowledge of target environments that their stated criminal methodology should not provide that actor is exhibiting the behavioral signature of state recruitment. The transition is not abrupt. It is a gradual accumulation of small improvements that individually have innocent explanations and collectively do not.

For analysts who understand this architecture, the line between espionage and cybercrime is not a classification problem. It is a deliberate strategic design.

Why People Are More Vulnerable Now Than They Were Then
This is the observation that I find most important to communicate and the one that receives the least attention in the policy and security discourse I encounter.

The effectiveness of influence operations is not primarily a function of their technical sophistication. It is a function of the emotional and cognitive material available in the target population. An operation that finds pre-existing grievances, validates them, and redirects the resulting emotional energy wins on the emotional register even when it loses on the factual one. Because the emotional register is where it was designed to operate.

In 2014, the emotional material available in most European target populations was moderate. Institutional trust in governments, in media, in European structures, in the transatlantic alliance was imperfect but functional. The information operations of that period had to work against populations for whom institutional counter-narratives still carried credibility.

That has changed.

The populations that information operations now target in Eastern Europe carry a decade more of accumulated institutional disappointment. The brain drain is lived experience, not a statistic. The EU membership benefits are perceived as unevenly distributed by the people who received the smaller share. The economic comparisons with Western Europe are documented in the daily bank account of every person who stayed behind while someone they knew emigrated. These are not manufactured grievances. They are real.

And real grievances are the only raw material that effective influence operations require.

The local influencer model that has replaced bot networks in Eastern Flank electoral interference cases works precisely because authenticity cannot be manufactured. A real person, with a real community following, sharing content that reflects positions they partially hold, paid in cryptocurrency for the reach but not for the conviction that person is not a fake. They are genuinely credible to their genuine audience. The payment buys distribution. The authenticity is real.

The shift from bot networks to real people with real grievances is the single most consequential operational evolution in the influence operation landscape since 2014. It is also the evolution that is hardest to detect, hardest to disrupt, and hardest to counter without producing the iatrogenic amplification cycle where institutional counter-messaging amplifies the operation's central narrative among precisely the demographics most susceptible to it.

The Dark Web as Early Warning Layer
The operational intelligence insight that ten years of dark web monitoring has produced most consistently is this: the events that manifest on surface platforms in weeks are being planned and resourced in underground forums now.

The TikTok algorithmic seeding campaigns that achieved electoral effect in the 2024 Eastern Flank cycle were assembled from commercial dark web supply chains influencer recruitment posts, account farm purchases, content production services with political calibration — weeks before the content appeared. The platforms saw the amplification. The preparation was invisible to anyone who wasn't watching where the preparation was occurring.

IAB listings for critical infrastructure and defense-adjacent targets in Eastern Flank member states that carry premium prices with no financial exploitation rationale — those listings are not noise. They are a signal that adversarial actors with state-level motivation have assessed specific targets as worth the investment. The financial logic is wrong for a criminal buyer. It is exactly right for a strategic one.

The intelligence gap that allows most operations to achieve surprise is not technical. It is the absence of monitoring where the preparation is occurring.

What Has Not Changed
The operational template deployed in early 2014 pre-positioned communities, culturally localized narrative architecture, exploitation of authentic grievances, dark web financial infrastructure, simultaneous multi-platform activation is the same template that is operationally active in 2026.

The platforms have changed. Facebook gave way to Telegram, Telegram to TikTok. The cryptocurrency infrastructure has evolved from primitive direct transfers to institutional-grade obfuscation. The content production capacity has been multiplied by AI integration that has removed the human resource constraints that previously limited campaign volume.

But the actors who understood this system when it was being built are still the actors running it. The communities that were cultivated in 2014 were never dismantled. They were never truly disrupted. They grew in the dark, funded by the same criminal financial ecosystem that was always their infrastructure, until geopolitical events made them visible to audiences that had been looking elsewhere.

The asymmetry between analysts who have been watching this continuously and institutions that are encountering it as a new problem is not a knowledge gap. It is a time gap. And the operational value of sustained longitudinal monitoring in dark web communities, in influence operation ecosystems, in the criminal-geopolitical overlap is precisely the baseline that makes the current signals readable.

The signals were already changing before the announcements were made. They always are.

Adrian Alexandru Stîngă is Lead Analyst A-01 at Aether Intel, a CTI research platform producing threat intelligence at the intersection of dark web ecosystems, hybrid warfare operations, and Eastern Flank security. The full AS-CTI-2026 series (30 reports, TLP:CLEAR) and the OBSIDIAN-TRACE deep-dive series are published at aether-intel.com.

All analysis reflects direct community-level observation. Where assessments draw on community-level intelligence that cannot be independently verified, confidence levels are explicitly documented in the underlying reports.

(HUMINT) The recruiter doesn't approach a soldier.

Adrian Alexandru Stinga — Mon, 18 May 2026 12:43:30 +0000

They approach a person with debt, a difficult divorce, or a grievance against their institution who happens to be a soldier.

That distinction explains why most military counterintelligence programmes miss the majority of recruitment attempts. They screen for ideology.
Dark web recruiters exploit finances.
OT-057 our latest OBSIDIAN-TRACE deep dive documents what that actually looks like from the inside: the question patterns used to map access without triggering security awareness training, the four-phase progression from "initial trust" to "operational tasking," and critically the CTI detection signals that appear on dark web forums weeks before any individual is ever approached.

The finding that concerns us most: Eastern Flank military expansion is producing a larger, less thoroughly vetted personnel pool at exactly the moment adversarial recruitment incentive is at its peak. The signals we're monitoring are consistent with that assessment.
The report covers detection methodology, MITRE ATT&CK mapping, and specific recommendations for counterintelligence officers and security programme designers.

TLP:WHITE — available at aether-intel.com

Telegram Didn't Kill the Dark Web. It Became Its Most Dangerous Wing.

Adrian Alexandru Stinga — Thu, 14 May 2026 06:16:09 +0000

Research disclosure: This article is based on passive observation

intelligence from the AS-CTI-2026 series (TLP:WHITE). No participation
in illicit activity was performed or implied. All assessments are
analytical and probabilistic in nature.

There's a take circulating in security circles that Telegram "replaced" the dark web. It's wrong and the people saying it are missing something more important.

Telegram didn't replace the dark web. It became the dark web's retail layer. A high-volume, low-barrier, fully/semi automated surface for the portion of criminal activity that no longer needs the anonymity guarantees of Tor-based infrastructure. And that distinction matters enormously, because the result is a two-tier criminal ecosystem that is structurally more dangerous than either layer alone.

Why the Dark Web Isn't Going Anywhere

Let's establish what the dark web actually offers that Telegram structurally cannot.

Tor routing provides genuine multi-hop anonymization of traffic at the network layer. Monero the dominant payment rail on serious dark web markets provides transaction unlinkability that Bitcoin fundamentally cannot replicate. Vetted forum communities have decade-long reputation systems built on PGP-signed communications and escrow structures that require real operational security to participate in. Market administrators on dark web forums can verify vendor history, mediate disputes, and enforce norms in ways that Telegram's bot-operated channels have no equivalent for.

For high-value operations initial access to enterprise networks, nation-state adjacent tooling, serious infrastructure procurement, intelligence brokerage the dark web remains the appropriate infrastructure. The anonymity requirements are non-negotiable. The vetting requirements are non-negotiable. Telegram cannot offer either.

The dark web is not a legacy system being deprecated. It is the sophisticated tier of a bifurcated criminal infrastructure, and it will remain so as long as Tor, Monero, and PGP exist.

What Telegram Actually Displaced

What Telegram did displace and this is the part that matters is the volume layer of dark web criminal activity. The commodity transactions. The mass-market operations. The criminal services that were previously accessible only to people willing to navigate Tor, manage a PGP key, and operate with dark web market discipline.

Between 2020 and 2022, dark web market vendors began proactively migrating their customer bases to Telegram. Not because it was more secure. Because it was more scalable. A Telegram link requires no technical threshold from the customer. No Tor. No PGP. No captcha. The vendor gains access to a vastly larger addressable market — anyone with a smartphone and a referral link — at the cost of reduced anonymity that, for commodity transactions, they judged acceptable.

By 2023-2024, Telegram had effectively displaced dark web markets for entire categories of transaction: drug distribution to end consumers, commodity malware sales, financial fraud product distribution. Not because it's better infrastructure it isn't but because the operational requirements of those categories don't demand what the dark web provides. A customer buying cannabis doesn't need Tor. A threat actor buying a commodity infostealer doesn't need Monero. Telegram is good enough, and good enough at scale beats excellent in a niche.

The Automation Engine

The Telegram criminal layer has one property that distinguishes it sharply from dark web market equivalents: near-total automation.

Vendor-operated bot systems likely handle over 90% of criminal transactions on the platform product browsing, payment processing, order confirmation, and delivery coordination — with minimal human intervention during normal operations. This isn't dark web market architecture with a better interface. This is an e-commerce stack built for volume.

The standard transaction flow for drug distribution the dominant criminal category on the platform runs entirely without human contact: a customer pays a $5–10 entry fee to join a channel, browses products through a bot interface, receives a cryptocurrency payment address, completes payment, and receives GPS coordinates for a dead drop pickup location. Average transaction value: approximately $100. Zero human contact between vendor and buyer at any stage.

For comparison, dark web market transactions involve escrow systems, dispute resolution, PGP-encrypted communications, and vendor reputation management — all of which require human oversight. The dark web prioritizes security and trust mechanisms. Telegram prioritizes throughput. They are optimizing for different things, serving different operational profiles.

The MITRE Footprint of the Telegram Layer

For security practitioners, the observed ATT&CK mapping of Telegram criminal activity covers the commodity-to-mid-tier range of the threat spectrum:

T1566 (Phishing) — credential theft kits sold as criminal service; phishing infrastructure distributed at scale
T1588.001 (Obtain Capabilities: Malware) — commodity stealers (RedLine, Lumma) via automated bot channels
T1657 (Financial Theft) — compromised financial accounts (fullz, payment processors accounts) as primary product category
T1078 (Valid Accounts) — stolen credentials sold directly; account takeover services via bot interface
T1567 (Exfiltration Over Web Service) — Telegram used as C2 and exfiltration channel by multiple malware families
T1583 (Acquire Infrastructure) — bulletproof hosting, RDP access as infrastructure services
T1090 (Proxy) — residential proxy services for operational anonymization
T1119 (Automated Collection) — bot systems automate the complete transaction lifecycle

Notice what's largely absent from this list: the sophisticated, targeted, high-value operations APT tooling, zero-day brokerage, critical infrastructure access. Those remain on dark web forums where the vetting, anonymity, and trust infrastructure exists to support them. Telegram is the volume layer. The dark web handles the apex tier.

A Structural Intelligence Gap

One of the most analytically significant observations from longitudinal monitoring of Telegram criminal channels is the payment infrastructure failure.

Bitcoin dominates criminal transactions on Telegram a significant operational security error. Unlike Monero-based dark web market transactions, Bitcoin payments create permanent, traceable blockchain records linking transaction patterns to identifiable KYC exchange accounts. The gap between what operators know they should use (privacy coins) and what they actually deploy (Bitcoin, because it reduces customer friction) is directly and consistently observable across channel types.

This OPSEC failure is an intelligence collection opportunity that law enforcement financial investigation units are not fully exploiting particularly given that the dark web's Monero-dominant payment layer is significantly harder to trace. The two-tier ecosystem has, perhaps unintentionally, sorted criminal operators by their sophistication and their exposure to blockchain forensics.

The Durov Arrest Was Noise

When Pavel Durov was arrested in France in August 2024, the criminal ecosystem on his platform registered zero observable operational impact. Channels stayed live. Bot systems kept processing orders. Transaction flows continued uninterrupted.

This outcome was predictable. Criminal infrastructure on Telegram was never dependent on founder oversight or moderation policy decisions. It had grown into a self-sustaining automated ecosystem. Any enforcement action at the platform level would need to be sustained, coordinated, and targeted at the bot infrastructure itself not at executives to have operational impact.

The arrest also illustrates the limits of thinking about this problem as a Telegram problem. Telegram is the current substrate. If enforcement pressure forced a meaningful migration, the same criminal ecosystem would reconstitute on a different platform likely one with weaker existing law enforcement relationships. The infrastructure is the actors and their automation, not the application.

What the Two-Tier Architecture Means for Defenders

Understanding that we're dealing with a bifurcated ecosystem not a single criminal infrastructure has direct implications for how defenders should orient.

Dark web monitoring and Telegram monitoring are not interchangeable.** They cover different operational tiers of the same threat landscape. A security team monitoring only dark web forums will miss the commodity credential market, the automation infrastructure for account takeover, and the malware distribution channels that operate primarily on Telegram. A team monitoring only Telegram misses the sophisticated, high-value operations that remain dark web-native.

The barrier to entry for criminal services has collapsed at the Telegram tier.** What previously required dark web operational security accessing commodity malware, purchasing stolen credentials, procuring account takeover services now requires a Telegram link and a small cryptocurrency payment. Threat actors who would have been filtered out by dark web friction now have functional access to a criminal services marketplace. The overall volume of threats is structurally higher as a result.

The two tiers communicate. Dark web forums reference Telegram channels. Telegram operators advertise on dark web marketplaces. Intelligence that lives only in one tier is incomplete intelligence. The ecosystem is integrated, even if the operational profiles of each tier are distinct.

The Real Threat Model

The dark web is not being replaced. It is being complemented by a vastly more accessible, vastly more automated parallel layer that handles the criminal activity that no longer requires its guarantees.

Together, the two tiers cover the full spectrum: the dark web handles sophisticated, high-anonymity, high-value operations; Telegram handles commodity, volume-driven, automated operations accessible to anyone. The combined surface is broader than either alone and the Telegram layer specifically represents a threat category that most organizational security frameworks were not designed to address, because it didn't exist at this scale five years ago.

We are not watching Telegram displace the dark web. We are watching a criminal infrastructure that has successfully specialized, with each tier handling the work it is best suited for. That is a more mature, more resilient threat landscape than the one we were modeling before.

This analysis is informed by the AS-CTI-2026-005 report "Telegram as Criminal Infrastructure: Ecosystem, Actors, and Emerging Threats," produced through longitudinal direct community observation. Part of the 30-report AS-CTI-2026 series by Aether Intel — Lead Analyst A-01. TLP:WHITE.

What tier of this ecosystem is your organization currently monitoring? Most threat intel programs I've seen cover one or the other, rarely both with equivalent depth.

Your Login Endpoint Is Being Tested Right Now. Your Rate Limiter Thinks It's Fine.

Adrian Alexandru Stinga — Wed, 13 May 2026 14:33:18 +0000

Here's a thing that happened to a mid-sized SaaS last year:
They had rate limiting. They had CAPTCHA on failed attempts. They had account lockout after 10 failures. Their security posture, by most checklists, was "reasonable."

Over 47 days, 2.3 million credential pairs were tested against their login endpoint.
Zero lockouts triggered. Zero CAPTCHAs served. Zero alerts fired.
The reason isn't a zero-day. It isn't some exotic bypass. It's something so structurally simple that once you see it, you can't unsee it — and you'll look at your own auth implementation differently.

The Velocity Gap
The entire architecture of brute-force and credential stuffing defense is built on one assumption: attacks are fast.
Lock out after N failures. Rate limit per IP. Detect anomalous request volumes. All of it assumes the attacker is in a hurry.
They're not.
The shift happened gradually and then all at once: credential stuffing operations evolved from spray-and-pray to what threat intelligence work now calls low-velocity distributed testing. The attack is spread across:

Thousands of residential proxy IPs (not datacenter ranges your WAF is watching)
Days or weeks, not hours
One or two attempts per IP, never enough to trigger per-IP thresholds
Human-realistic timing patterns, including sleep cycles, to defeat behavioral analysis

The math is simple and brutal: if you test 50,000 credentials at 1 attempt per IP, spread across 72 hours, with normally-distributed timing, you hit the following controls:
Control Status IP rate limiting (per-IP)✅ Never triggered
Account lockout (N failures per account)✅ Never triggered
Velocity-based anomaly detection ✅ Never triggered
CAPTCHA on failed attempts ✅ Never triggered
Your SIEM alert ✅ Never triggered

This isn't a hypothetical. This is operational tradecraft documented across dark web IAB (Initial Access Broker) forums and criminal communities. The tools to do this at scale are commoditized, cheap, and actively sold with "anti-detection" as a primary feature.

What You're Actually Logging
When a low-velocity credential stuffing operation runs against your endpoint, here's what your logs typically show:

A moderate uptick in failed logins, well within normal variance
Diverse IP distribution, mostly residential ranges
Normal User-Agent strings (the tooling rotates these)
No obvious geographic clustering — residential proxies span legitimate geographies
Login attempt timing that doesn't stand out from organic traffic patterns

What you're not seeing without specific instrumentation: the ratio of attempts-per-credential-pair and the relationship between accounts being tested. The attack looks like noise because it was designed to look like noise.

The Credential Ecosystem Problem
Here's the part that doesn't get talked about enough in engineering-focused security content:
The credentials being tested against your endpoint didn't come from nowhere. They came from a data breach marketplace — and those markets are now extraordinarily efficient.
A credential dump from a 2022 breach of a mid-tier e-commerce site gets:

Parsed and deduped
Tested against high-value targets (banking, crypto, SaaS)
Already-validated credentials sold to IABs at premium
Remaining "untested" credentials sold in bulk for a few dollars per thousand pairs
Those bulk credentials used in stuffing operations against your login endpoint

The time from breach to your endpoint being tested is now measured in weeks, not months. And the credentials being tested against you might be from a service your user signed up for 4 years ago that you've never heard of.
Your user reused a password. They have no idea. You have no idea. The attacker has a list.

The Controls That Actually Matter
Stop me if this sounds familiar: your security posture is built around preventing unauthorized logins. But with credential stuffing, the login often succeeds. That's the point. The credentials are real.
So the question shifts from "how do I stop the wrong password" to "how do I detect that a correct password is being used by the wrong person."
That's a fundamentally different problem.
What doesn't work (as a primary control):

Per-IP rate limiting alone
Account lockout on failed attempts (most stuffing succeeds on the first try per account)
Password complexity requirements (the password is correct)
Standard CAPTCHA (it's served on failure, stuffing succeeds)

What actually moves the needle:

Credential pair testing detection Look for the population of tested accounts, not individual account behavior. If 800 distinct accounts each receive exactly 1–2 login attempts from distinct IPs within a 24-hour window, that's a signal. None of those individually trigger a threshold. The population does.
Impossible travel and device fingerprinting on successful logins A successful login from a credential that has never been seen on this device/browser fingerprint, from an ASN associated with residential proxy providers, is worth flagging for step-up authentication — regardless of whether the password was correct.
Password breach detection at login Have I Been Pwned's API (and similar) lets you check whether the credential being used appears in known breach datasets. A correct password that's also in a breach corpus deserves extra scrutiny. This is underused.
Invisible MFA friction on anomalous signals Don't lock accounts on first anomaly. Do add friction. A step-up auth challenge that looks organic to a legitimate user is nearly impossible for an automated stuffing operation to complete at scale.
Honeypot accounts If you have the infra: seed your user database with accounts that should never see login attempts. Any attempt against them is, by definition, from a list. Treat it as a signal that a credential dump including your domain is in circulation.

The Structural Honest Assessment
Here's the take I'll stand behind: most auth security advice is optimized for a threat model that hasn't been operationally accurate for 3–4 years.
Rate limiting, lockout policies, and CAPTCHA were designed for an era when attackers were using their own IPs and moving fast. The underground adapted. The defense guidance largely didn't.
The "OWASP Top 10" framing, while useful for broad awareness, treats credential stuffing as a volume problem with a volume solution. The 2026 operational reality is that sophisticated stuffing operations deliberately operate below every volume threshold you've set, because they specifically studied where those thresholds are.
You can't fix this with a single control. You fix it by instrumenting for population-level patterns, not individual-account-level events. And by accepting that a successful login is not, by itself, evidence of authorization.

What This Means for Your Next Auth Review
Three concrete questions worth asking about your current implementation:

Do we have any visibility into population-level login attempt patterns, or only per-account and per-IP patterns? If the answer is "per-account and per-IP only," you have a detection gap.
What happens when a credential stuffing operation succeeds? What does the session look like, and what anomaly signals do we check at that point? If the answer is "nothing, a valid login is a valid login," you have a response gap.
Do we have any signal on whether credentials currently in use against our system appear in known breach datasets? If the answer is "no," that's a free improvement available today.

None of this is exotic. All of it is underimplemented.

This post is informed by threat intelligence research covering dark web credential markets, Initial Access Broker operations, and criminal tooling tradecraft — part of the Aether Intel AS-CTI-2026 series. TLP:WHITE.
Have you instrumented for population-level credential stuffing signals?

What's actually worked in your stack? Drop it in the comments.

The AI Persona Problem: Your Next Threat Actor Doesn't Exist

Adrian Alexandru Stinga — Wed, 13 May 2026 08:45:05 +0000

Let me say something that will make most security vendors uncomfortable:
The traditional "know your attacker" model is already obsolete.
Not because threat actors got smarter. Because they stopped existing.

For years, threat intelligence ran on a simple premise: behind every attack is a human. Find the human their habits, their language, their operational patterns, their mistakes and you find the threat.
This gave us actor profiling. Attribution reports. Persona mapping. Behavioral fingerprinting. All built on one invisible assumption: humans leak identity, always, eventually.
They leave timezone patterns in their commit logs. They reuse usernames across forums. They make grammatical errors consistent with their native language. They sleep.
That assumption is gone.

What the Underground Actually Looks Like Now
Here's what threat intelligence collection on closed communities reveals in 2026: synthetic personas are not a future concern. They're operational infrastructure today.
Dark web forums the kind with actual vetting, not the script-kiddie playgrounds now host actors whose entire identity stack is AI-generated and AI-maintained. Not "AI-assisted." AI-maintained. The persona posts, responds to challenges, builds reputation, and sustains trust relationships across months, without a human touching the keyboard for every interaction.
What does this look like in practice?

Reputation laundering: A synthetic persona spends 3–6 months building credibility on legitimate developer communities (yes, including places like this one). It asks reasonable questions, gives solid answers, gets upvotes. Then it pivots to targeted social engineering not with a phishing link, but with a pull request, a job offer, or a partnership proposal.
Trust infrastructure at scale: One threat actor can now maintain 40+ active personas simultaneously across different platforms. Each persona has a coherent history. Each has a specialization. Some are "devs," some are "researchers," some are "recruiters."
Behavioral camouflage: AI models fine-tuned on human forum behavior can now pass informal Turing tests that security researchers would have considered reliable 18 months ago.

The Part Nobody Wants to Admit
Here's the uncomfortable take: most of your current detection models are built to catch humans.
Rate limiting? Catches bots, not synthetic personas that move at human speed.
Writing style analysis? Works against low-effort actors, not against a model trained specifically to mimic the writing patterns of your professional community.
Account age thresholds? Meaningless against personas with 8-month runway before activation.
Vouching systems? Dangerous. A single compromised human voucher can launder an entire network of synthetic identities into "trusted" status.
The OSS security community spent years worrying about malicious packages. The actual attack surface was always the contributors, not the packages. We just didn't have a threat model for fake contributors at scale.

What This Means for Developers Specifically
If you maintain an open source project, contribute to one, or participate in any professional community with real stakes:
You have no reliable way to verify that the person you've been talking to for three months is human.
That's not hyperbole. That's the operational reality that comes out of current threat intelligence work.
Some concrete implications:

Code review is now a social engineering surface. A persona that's been contributing small, clean PRs for months has built enough trust to get a larger, more complex PR reviewed less rigorously. This is documented behavior, not speculation.
Job referrals are being weaponized. Synthetic personas with credible LinkedIn histories are being used to get humans referred into target organizations humans who themselves may not know they're part of an operation.
Your DMs aren't private and your correspondent might not be real. Reconnaissance operations run through professional communities specifically because people are less guarded there than they would be with a cold email.

The Harder Problem: Detection Is Getting Worse, Not Better
You might think: AI detectors. The arms race.
Here's why that's not the answer: detection tools are trained on known AI outputs. Threat actors specifically fine-tune to evade those signatures. It's not a fair race defenders need to catch everything, attackers need to find one gap.
More importantly, the question "is this AI-generated?" is increasingly the wrong question. A human who types into an AI and pastes the response is neither human nor AI in any operationally meaningful sense. The identity of the operator matters, not the identity of the text generator.

What Good Actually Looks Like
I'm not going to pretend there's a clean solution. There isn't. But there are better and worse postures:
Better:

Treat long-term behavioral consistency as a weak signal, not a strong one. Synthetic personas are specifically designed to build it.
Move important decisions out of asynchronous text channels where personas can operate. A 15-minute video call doesn't solve this but it does raise the cost significantly.
Be skeptical of convenient expertise. A persona that shows up at the exact moment you need a specific skill is a pattern worth noting.
Think about your community's specific value to an adversary. OSS crypto libraries. Defense contractor supply chains. CTI communities. High-trust access = high-value persona target.

Worse:

Assuming the problem doesn't apply to you because you're not a big target.
Investing heavily in AI text detectors as a primary control.
Treating platform-level verification (GitHub stars, Dev.to reputation, LinkedIn connections) as identity verification. It isn't.

The Actual Uncomfortable Truth
The AI persona problem isn't primarily a technical problem. It's a trust architecture problem.
We built professional communities on the assumption that sustained, coherent participation was a reliable signal of legitimate human intent. That assumption was always an approximation. Now it's a liability.
The communities that will navigate this best are the ones that get honest about what they're actually verifying and what they aren't. Not the ones that add another detection layer to a model that was never designed for this threat.

This post draws on active threat intelligence research from the Aether Intel AS-CTI-2026 and OT series, which covers dark web actor behavior, synthetic identity operations, and underground community dynamics. TLP:WHITE.

!What's your take — has your community started thinking about this? I'd genuinely like to know what controls people are actually considering.

FROM TOR TO TRACEABLE: WHY 90% OF 'ANONYMOUS' Threat actors ARE ONE MISTAKE AWAY FROM EXPOSURE

Adrian Alexandru Stinga — Mon, 11 May 2026 17:13:09 +0000

After spending ~15 years monitoring underground ecosystems, I've observed a pattern so consistent it borders on predictable: the vast majority of threat actors,regardless of sophistication level ultimately compromise their own anonymity through behavioral patterns they cannot escape.

This isn't about breaking encryption. It's about breaking the human behind it.

THE ILLUSION OF ANONYMITY

When most people think about dark web attribution, they imagine cryptographic breakthroughs or zero-day exploits that crack Tor or Monero. The reality is far less cinematic and far more human.

I've tracked hundreds of actors across restricted communities, underground marketplaces, and encrypted communication channels. What I've learned is this: you don't need to defeat the mathematics of privacy-enhancing technologies. You need to recognize that humans are creatures of habit, and habits leave traces.

THE VULNERABILITY ISN'T IN THE CODE IT'S IN THE CLOCK

The single most pervasive weakness I've observed across threat actor populations is temporal pattern formation. Whether we're talking about low-tier vendors or state-sponsored APT groups, the behavioral signature is remarkably similar.

Actors log into marketplaces at consistent times. They respond to messages during predictable windows. They execute cryptocurrency transactions within observable rhythms. After 30-90 days of monitoring, these patterns don't just suggest location they practically announce it.

This isn't theoretical. This is what makes 90% of "anonymous" actors traceable.

The mathematics of privacy coins like Monero remain robust. But when transaction timing correlates with login patterns, forum activity, and communication windows, the encryption becomes irrelevant. You don't break the cryptography you profile the person using it.

WHERE MONEY MEETS MISTAKES

Cryptocurrency represents both the greatest strength and the most exploitable weakness in underground operational security. The pattern is almost universal:

Actors use tumblers and mixing services. They swap between coins. They believe they've covered their tracks. But they fail to account for the behavioral metadata surrounding these transactions.

The timing of a mixing operation. The amounts being processed. The relationship between financial activity and forum presence. These create a behavioral fingerprint that persists across pseudonymous identities.

Most actors focus on technical OPSEC while ignoring temporal OPSEC. This is the gap where exposure happens.

THE DISCIPLINE GAP: STATE-SPONSORED VS. INDEPENDENT ACTORS

There's a measurable difference in operational discipline between state-sponsored groups and independent threat actors. The former operate with corporate-level structure consistent working hours, geographic constraints, coordinated deployment schedules. This doesn't make them invulnerable; it makes their patterns different.

State-sponsored actors understand the stakes extend beyond incarceration. This drives a different risk calculus. But even with superior resources and training, behavioral patterns emerge. The difference is that their patterns are institutional rather than individual.

Independent actors, particularly those in the low-to-medium sophistication range, rarely implement even basic operational security measures. Many don't use VPNs. Fewer still construct proper tunneling infrastructure through RDP, RDI, or SOCKS proxies. They rely on Tor alone, unaware that application layer mistakes can bypass network-layer protections.

THE EVOLUTION PROBLEM: AI AS A DOUBLE-EDGED SWORD

The underground landscape has transformed dramatically over the past 15 years. Tasks that once required programming knowledge and technical expertise can now be automated through AI-assisted tooling. This has lowered the barrier to entry substantially.

Where aspiring threat actors once needed to learn a programming language to build infrastructure, they can now deploy sophisticated operations with minimal technical background. This proliferation effect is creating an entirely new class of actors what might be called "AI script kiddies."

The paradox: AI simultaneously enables both threat actors and those tracking them. Automated pattern recognition, behavioral analysis, and correlation systems scale in ways manual analysis cannot. The same technology that makes it easier to commit cybercrime makes it easier to detect and attribute.

The result is a more saturated threat landscape with higher detection rates. The barrier to entry drops while the barrier to sustained anonymity rises.

THE 10% WHO DON'T GET CAUGHT

If 90% of actors make fatal pattern-based mistakes, what separates the remaining 10%?

In my experience, the actors who maintain long-term operational security share specific psychological traits. Many exhibit neurodivergent characteristics—extreme paranoia, obsessive attention to detail, pattern-breaking behaviors that feel unnatural to neurotypical individuals.

These actors don't just implement good OPSEC. They fight against their own cognitive defaults. They actively randomize behaviors that others perform on autopilot. They treat anonymity as a discipline requiring constant conscious effort rather than a technical configuration they set up once.

This level of operational discipline is psychologically exhausting. Most humans cannot sustain it.

THE VENDOR LONGEVITY PARADOX

Long term survival in underground marketplaces is exceptionally rare. Less than 1% of vendors remain active for more than a decade. This isn't primarily due to law enforcement action or technical compromise.

Most vendors enter underground ecosystems driven by the perception of easy money. They experience initial success, scale their operations, and become increasingly visible. Greed accelerates exposure. Consistency creates patterns. Longevity requires discipline that contradicts the psychological drivers that attracted them to the space in the first place.

The vendors who survive longest aren't necessarily the most technically sophisticated. They're the ones who maintain behavioral discipline across years of operation. They resist the temptation to scale. They accept that sustained anonymity requires accepting lower profits in exchange for lower visibility.

TIER 1 THREAT ACTORS: WHERE THEY REALLY COME FROM

There's a common misconception that sophisticated threat actor groups recruit externally or emerge fully formed. In reality, nearly all tier-1 ransomware-as-a-service operations, advanced persistent threat groups, and organized cybercrime syndicates draw from the same talent pools.

They started on the same forums. They cut their teeth on the same marketplaces. The difference between a low-tier forum vendor and a tier-1 APT operator is often time, reputation accumulation, and network connections not technical capability.

This means historical presence is traceable. The actor running a sophisticated state sponsored campaign in 2025 was likely a marketplace vendor in 2015, active on specific forums, building reputation under earlier identities.

Correlation across these historical identities becomes possible when actors fail to compartmentalize their operational timelines. When the same behavioral patterns persist across identity changes the same login rhythms, the same transaction behaviors, the same communication styles attribution becomes feasible without ever touching encrypted communications.

WHY HUMANS CAN'T ESCAPE THEIR PATTERNS

The fundamental challenge isn't technical it's neurological.

Neurotypical individuals struggle to maintain randomized behavioral patterns over extended periods. Our brains default to efficiency through routine. We optimize our behaviors unconsciously. We establish rhythms that feel natural.

Neurodivergent individuals particularly those with autism spectrum characteristics can sometimes maintain pattern-breaking behaviors more consistently. But even they tend to establish new patterns rather than achieving true randomization. Once they adopt a new operational rhythm, they adhere to it with the same rigidity neurotypical individuals show toward their natural patterns.

This is why the human remains the weakest link in operational security. Technical solutions can be perfected. Behavioral discipline cannot be automated.

THE OVERSATURATION OF OSINT TOOLING

The open-source intelligence landscape has become increasingly crowded. There are now thousands of OSINT tools, frameworks, and platforms available. On the surface, this appears to democratize investigative capability.

In practice, this oversaturation creates noise. Most tools focus on data collection rather than behavioral analysis. They extract information without understanding context. They scale breadth at the expense of depth.

Effective attribution doesn't come from tool proliferation. It comes from understanding which patterns matter and which are noise. It comes from recognizing that the most valuable data isn't always the most visible.

THE FUTURE: ESCALATION ON BOTH SIDES

Over the next five years, I expect the underground landscape to become simultaneously more accessible and more dangerous.

AI will continue lowering technical barriers to entry, flooding markets with actors who lack fundamental operational security understanding. Attack volume will increase substantially.

Simultaneously, AI-powered detection and correlation systems will become more sophisticated. The gap between accessibility and survivability will widen.

The result will be a more volatile environment where the majority of actors are quickly identified and removed, while a small minority with genuine operational discipline become increasingly difficult to track.

After ~15 years of direct observation, one truth remains constant: technical sophistication cannot compensate for behavioral discipline.

Actors invest heavily in encryption, anonymization networks, privacy-preserving cryptocurrencies, and secure communication platforms. These tools work exactly as designed. The technology isn't failing.

The human using the technology is failing.

They log in at the same times. They transact during predictable windows. They maintain patterns that feel natural but create signatures. They optimize for convenience over security. They believe anonymity is a state achieved through configuration rather than a discipline maintained through constant vigilance.

This is why 90% of actors are one mistake away from exposure. Not because their tools failed. Because they couldn't escape being human.

And being human means leaving patterns.

Always.

Adrian Alexandru is a Senior Strategic Intelligence Consultant specializing in underground ecosystem analysis, behavioral profiling, and cryptocurrency crime intelligence.